fix: lock in policy report mapper (#4601)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-09-13 10:30:14 +02:00 · 2022-09-13 10:30:14 +02:00 · e516fb868e
commit e516fb868e
parent da5312c177
2 changed files with 15 additions and 6 deletions
--- a/pkg/policyreport/mapper.go
+++ b/pkg/policyreport/mapper.go
@ -22,3 +22,7 @@ func (m concurrentMap) decrease(keyHash string) {
 		m.Set(ns, 0)
 	}
 }
+
+func newConcurrentMap() concurrentMap {
+	return concurrentMap{cmap.New()}
+}
--- a/pkg/policyreport/reportrequest.go
+++ b/pkg/policyreport/reportrequest.go
@ -13,7 +13,6 @@ import (
 	kyvernov1alpha2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1alpha2"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov1alpha2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1alpha2"
-	cmap "github.com/orcaman/concurrent-map"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/cache"
@ -33,6 +32,7 @@ type Generator struct {

 	// changeRequestMapper stores the change requests' count per namespace
 	changeRequestMapper concurrentMap
+	mutex               *sync.RWMutex

 	// cpolLister can list/get policy from the shared informer's store
 	cpolLister kyvernov1listers.ClusterPolicyLister
@ -68,7 +68,8 @@ func NewReportChangeRequestGenerator(client versioned.Interface,
 	gen := Generator{
 		clusterReportChangeRequestLister: clusterReportReqInformer.Lister(),
 		reportChangeRequestLister:        reportReqInformer.Lister(),
-		changeRequestMapper:              newChangeRequestMapper(),
+		changeRequestMapper:              newConcurrentMap(),
+		mutex:                            &sync.RWMutex{},
 		cpolLister:                       cpolInformer.Lister(),
 		polLister:                        polInformer.Lister(),
 		queue:                            workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
@ -141,6 +142,8 @@ func (gen *Generator) enqueue(info Info) {

 // Add queues a policy violation create request
 func (gen *Generator) Add(infos ...Info) {
+	gen.mutex.Lock()
+	defer gen.mutex.Unlock()
 	for _, info := range infos {
 		count, ok := gen.changeRequestMapper.ConcurrentMap.Get(info.Namespace)
 		if ok && count == -1 {
@ -155,17 +158,23 @@ func (gen *Generator) Add(infos ...Info) {

 // MapperReset resets the change request mapper for the given namespace
 func (gen Generator) MapperReset(ns string) {
+	gen.mutex.Lock()
+	defer gen.mutex.Unlock()
 	gen.changeRequestMapper.ConcurrentMap.Set(ns, 0)
 }

 // MapperInactive sets the change request mapper for the given namespace to -1
 // which indicates the report is inactive
 func (gen Generator) MapperInactive(ns string) {
+	gen.mutex.Lock()
+	defer gen.mutex.Unlock()
 	gen.changeRequestMapper.ConcurrentMap.Set(ns, -1)
 }

 // MapperInvalidate reset map entries
 func (gen Generator) MapperInvalidate() {
+	gen.mutex.Lock()
+	defer gen.mutex.Unlock()
 	for ns := range gen.changeRequestMapper.ConcurrentMap.Items() {
 		gen.changeRequestMapper.ConcurrentMap.Remove(ns)
 	}
@ -296,7 +305,3 @@ func hasResultsChanged(old, new map[string]interface{}) bool {

 	return !reflect.DeepEqual(oldRes, newRes)
 }
-
-func newChangeRequestMapper() concurrentMap {
-	return concurrentMap{cmap.New()}
-}